Good luck finding a safe VPN

If you're most people, you just found out about the FCC's internet privacy rules by way of their untimely demise. Thanks to the FCC's new chief, Congress, and Donald Trump, ISPs are now free to track you like crazy and sell your data to the four directions. As a result, interest in VPNs exploded overnight.

Before the Obama-era FCC's privacy and security safeguards could go into effect, new FCC chairman Ajit Pai readied the hearse by suspending them indefinitely as his first big act. This ensured they'd never see the light of day, even if Congress didn't come in for the kill with their anti-privacy-rules bill. Which they did. This was immediately followed by Trump signing that bill lickety-split, ensuring no one gets any of the protections they were promised.

When the attacker is your ISP

So, as you probably know from reading headlines over the past week, ISPs are free to track you and sell your data to third parties. Less reported, yet equally disastrous to have taken away, is the part in the protections that gave consumers power to hold internet and cable providers accountable for data breaches.

Consumer security, the new FCC chief told Congress, isn't the FCC's area of interest anymore.

Using a VPN for cloaking your activity from your ISP is a practical solution -- especially if you combine it with tracker-blocking browser plug-ins like uBlock Origin, because ads are trackers too.

With a VPN, the user's internet connection travels encrypted from computer to VPN server; from there the user's connection travels unencrypted to their final destination (a website). This way, websites only see the VPN's IP address and not the user's, and your ISP only sees you visiting the VPN. The ability of any attacker to spy, intercept, attack or steal information stops at the VPN. That's why they're essential for personal security when you use public WiFi.

Once the idea took hold that VPNs were the magic solution to ISP spying, tracking, and data sales, suddenly everyone and their dog was publishing an article about it. Lots of these articles tell you to use a VPN service with "the hallmarks of a trustworthy service" but few explain what that means, exactly.

Many of these explainery-think pieces, not surprisingly, are profit-seeking endorsements for affiliate VPN services. Not all of which are VPNs you can trust, even if they come from a trusted blog or source.

Trust issues

Selecting a VPN you can trust already took research and consideration, weighing connection speeds and pricing, learning about who keeps records and for how long and more. VPN services are also like any other in that they change their record-keeping policies and privacy practices over time, so that's another thing to keep up with.

In addition, these services are easy to misconfigure. Just over a year ago, VPN provider Perfect Privacy found a massive security hole in many services called "Port Fail." It was a bug that de-anonymized users, and most VPN services ignored the problem until the press made noise about it. Many took weeks to put in a fix. One of those was a service endorsed by Lifehacker, which just shows that anyone can have problems finding a reputable VPN.

It can be overwhelming. It's not as simple as using whatever VPN the security cool kids say is "the one," because even popular services have been behaving badly. For example, popular service Hola VPN recently got caught selling user traffic to a botnet.

Fortunately like most infosec topics, VPNs are a bit of a fetish unto themselves for people who are into them. Just take a look at this exhaustive comparison chart at That One Privacy Site.

In these extensive posts, TF talks to dozens of top VPN services and asks them what their record keeping policies are, as well as "various other privacy related issues." If a VPN gets a great review one year, has a less great review the next, and then drops off the list completely (like TigerVPN did), then definitely take that as a "buyer beware."

The drawbacks? They can slow your connection down, and they may not work with services like Netflix that want to know where you're physically located. Some public places block the use of VPNs, which should be your sign that the network isn't safe to use anyway.

Once you're setup, use the steps in this post to test your VPN to make sure the outside world can only see your VPN's IP address, and make sure you're not leaking your actual IP.

When the trend is people turning to VPNs for protection from their own internet service providers -- in their own homes -- it's safe to say the privacy and security situation for most Americans has gotten pretty bad.

It's not all terrible, at least insofar as general security literacy goes. But the trade-off is probably not worth it.

The murder of the FCC's privacy rules are a sign that any war for the soul of consumer protection in the era of the internet is lost. I just hope that someday we can find our way home from here, before it's really too late.

Ms. Violet Blue (tinynibbles.com, @violetblue) is a the author of the forthcoming book How To Be A Digital Revolutionary. She is a freelance investigative reporter on hacking and cybercrime, as well as a noted columnist. She is an advisor to Without My Consent, and a member of the Internet Press Guild. Ms. Blue has made regular appearances on CNN and The Oprah Winfrey Show and is frequently interviewed, quoted, and featured in a variety of outlets including BBC, Newsweek, and the Wall Street Journal. She has authored and edited award-winning, best selling books in eight translations and was the San Francisco Chronicle's sex columnist. Her conference appearances include ETech, LeWeb, CCC, and the Forbes Brand Leadership Conference, plus two Google Tech Talks. The London Times named Blue one of “40 bloggers who really count.” Ms. Blue is the author of The Smart Girl's Guide to Privacy. Find out more about her work in writing, sexuality, security, and privacy on her Patreon.